cyber security

WannaCry hasn’t hurt India's government, but there have been dangerous, unreported attacks before

Bring a cyber security law and amend the Information Technology Act to criminalise malicious online attacks, urge experts.

Computer systems of at least 18 Andhra Pradesh police units are among the hundreds in India compromised by the WannaCry ransomware attack, which began on May 12 and is estimated to have affected more than 200,000 computers across 150 countries so far.

Ransomware is a type of malicious software designed to block access to computer systems until a sum of money is paid. The malware is usually sent through email and blocks access by encrypting the targeted system’s data. The ransom is demanded to be paid in the virtual currency Bitcoin, which the Reserve Bank of India does not recognise as an authorised mode of exchange.

In India, ransomware attacks have become rampant since 2015, cyber security experts said, finding victims in a wide range of industries, from pharmaceuticals to hospitality and banking to information technology.

The latest global attack infected computers at private enterprises in Mumbai, Hyderabad, Bangalore and other cities. The Andhra Pradesh police was the first government agency to report being affected. Now, it has emerged that the Gujarat State Wide Area Network and customer care centres of the West Bengal Electricity Distribution Company Limited, a public sector undertaking, were affected as well.

For government agencies in India, though, WannaCry is not the first ransomware experience. At least two such attacks have been reported in the past one year.

State of vulnerability

In January 2017, three servers in the Delhi office of the Quality Council of India, an accreditation body set up jointly by the central government and the Indian industry associations, were attacked by Cerber ransomware. It took cyber security experts over 36 hours to unblock the system through decryption applications. No ransom had to be paid, said a cyber security expert who was involved in the operation.

According to Kislay Chaudhary, a cyber security consultant with the central government, using decryption applications to unblock ransomware-infected computers is easier said than done. There are thousands of decryption applications available on the internet and each has a specific purpose. So the operation is essentially a hit-and-miss. If all the available applications fail to decrypt the data, the only option left is to wait for the discovery of the malicious software’s kill switch to unblock the computer.

In May 2016, computer systems of Maharashtra’s revenue and public works departments were infected by Locky ransomware.

Ransomware blocks access to the infected computer by encrypting data and demands payment to unlock it. Image credit: Reuters
Ransomware blocks access to the infected computer by encrypting data and demands payment to unlock it. Image credit: Reuters

“It is not that government agencies are more vulnerable to these attacks,” said Chaudhary. “The most vulnerable are private or independent servers and customised mail boxes, which fail to spam emails with malware attachments, often because of lack of investment in making the systems safe enough, and inadequate research and development.”

Pavan Duggal, an advocate with expertise in cyber security law, however, contended that “what is visible on the surface is just the tip of the iceberg”.

“Most ransomware attacks are unreported and India is no exception to that,” he said. “Top information technology companies, banks and even government agencies in the country have witnessed such attacks in the past three years. But most attacks were local and isolated in nature. A mass attack like WannaCry is unprecedented.”

So, how can such attacks be tackled? Duggal said India must urgently enact a cyber security law and amend the Information Technology Act to make cyber attacks criminal offences and clearly chalk out the roles and responsibilities, accountability and liabilities of internet service providers and intermediary agencies in case of such offences.

Outside of the government, Cyber Peace Foundation, a Jharkhand-based cyber security non-profit, has invested in a project called Honey Net to combat cyber attacks. Under this project, the NGO has set up deliberately vulnerable computer networks in 10 states, including Jharkhand, Gujarat, Andhra Pradesh and Karnataka, to invite cyber attacks in order to analyse their nature. They recorded an unusual trend a day before the global cyber attack of May 12.

“The system which usually endures 147 cyber attack attempts per day on an average actually endured around 9,000 attacks on Thursday,” said the founder of the NGO Vineet Kumar. They have received requests to deal with 15 WannaCry infection. These clients include private enterprises, academic institutes and government agencies, Kumar said, but did not disclose their identities.

Lax security

In the wake of the WannaCry attack, the Indian government’s Computer Emergency Response Team issued a critical alert and an advisory while the Ministry of Information Technology reached out to key stakeholders such as the Reserve Bank of India, National Payments Corporation of India, National Informatics Centre and Unique Identification Authority of India, advising them to protect their systems against WannaCry and ensure protection of the digital payments ecosystem in the country, PTI reported. The Reserve Bank, in turn, directed banks to down their ATM networks until the machines received the Windows software update that protects against the ransomware.

“ATMs operations are usually outsourced to third parties and it is shocking that more than 70 percent of the ATM network in India operates on Windows XP,” said Chaudhary, referring to an older version of Microsoft’s operating system. “Microsoft has stopped issuing update patches for the XP, though the case of WannaCry is exceptional because they had released patches on receipt of prior input about a possible leak. But most users, including government agencies, often act reluctant in installing update files.”

Chaudhary also said Indian banks have witnessed several malware attacks in the past “but surprisingly many of them are yet to take adequate measures for protection”.

Support our journalism by subscribing to Scroll+ here. We welcome your comments at letters@scroll.in.
Sponsored Content BY 

Do you really need to use that plastic straw?

The hazards of single-use plastic items, and what to use instead.

In June 2018, a distressed whale in Thailand made headlines around the world. After an autopsy it’s cause of death was determined to be more than 80 plastic bags it had ingested. The pictures caused great concern and brought into focus the urgency of the fight against single-use plastic. This term refers to use-and-throw plastic products that are designed for one-time use, such as takeaway spoons and forks, polythene bags styrofoam cups etc. In its report on single-use plastics, the United Nations Environment Programme (UNEP) has described how single-use plastics have a far-reaching impact in the environment.

Dense quantity of plastic litter means sights such as the distressed whale in Thailand aren’t uncommon. Plastic products have been found in the airways and stomachs of hundreds of marine and land species. Plastic bags, especially, confuse turtles who mistake them for jellyfish - their food. They can even exacerbate health crises, such as a malarial outbreak, by clogging sewers and creating ideal conditions for vector-borne diseases to thrive. In 1988, poor drainage made worse by plastic clogging contributed to the devastating Bangladesh floods in which two-thirds of the country was submerged.

Plastic litter can, moreover, cause physiological harm. Burning plastic waste for cooking fuel and in open air pits releases harmful gases in the air, contributing to poor air quality especially in poorer countries where these practices are common. But plastic needn’t even be burned to cause physiological harm. The toxic chemical additives in the manufacturing process of plastics remain in animal tissue, which is then consumed by humans. These highly toxic and carcinogenic substances (benzene, styrene etc.) can cause damage to nervous systems, lungs and reproductive organs.

The European Commission recently released a list of top 10 single-use plastic items that it plans to ban in the near future. These items are ubiquitous as trash across the world’s beaches, even the pristine, seemingly untouched ones. Some of them, such as styrofoam cups, take up to a 1,000 years to photodegrade (the breakdown of substances by exposure to UV and infrared rays from sunlight), disintegrating into microplastics, another health hazard.

More than 60 countries have introduced levies and bans to discourage the use of single-use plastics. Morocco and Rwanda have emerged as inspiring success stories of such policies. Rwanda, in fact, is now among the cleanest countries on Earth. In India, Maharashtra became the 18th state to effect a ban on disposable plastic items in March 2018. Now India plans to replicate the decision on a national level, aiming to eliminate single-use plastics entirely by 2022. While government efforts are important to encourage industries to redesign their production methods, individuals too can take steps to minimise their consumption, and littering, of single-use plastics. Most of these actions are low on effort, but can cause a significant reduction in plastic waste in the environment, if the return of Olive Ridley turtles to a Mumbai beach are anything to go by.

To know more about the single-use plastics problem, visit Planet or Plastic portal, National Geographic’s multi-year effort to raise awareness about the global plastic trash crisis. From microplastics in cosmetics to haunting art on plastic pollution, Planet or Plastic is a comprehensive resource on the problem. You can take the pledge to reduce your use of single-use plastics, here.

This article was produced by the Scroll marketing team on behalf of National Geographic, and not by the Scroll editorial team.